CNPD (Portugal) - Deliberação 2021/533: Difference between revisions

CNPD - Deliberação/2021/533
Authority:	CNPD (Portugal)
Jurisdiction:	Portugal
Relevant Law:	Article 9 GDPR Article 44 GDPR Article 46 GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:	27.04.2021
Published:	28.04.2021
Fine:	None
Parties:	lnstituto Nacional de Estatística, l.P. Cloudflare, lnc.
National Case Number/Name:	Deliberação/2021/533
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Portuguese
Original Source:	CNPD Deliberação (in PT)
Initial Contributor:	n/a

The Portuguese DPA ordered the National Statistical Institute to stop all data transfers to a service provider located in the US.

English Summary

Facts

The Portuguese National Statistical Institute gathers data for their census through a form in their website, using the services of Cloudfare, a service provider based in the US.

Dispute

Holding

in progress

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.

CNPD 
National Commission for Data Protection 
DELIBERATION/2021 / 533 
1. introduction 
1. 
The National Commission for Data Protection (CNPD) has received more than a dozen participations regarding the ongoing census operation - Census 2021 - carried out by the National Statistics Institute, I.P. (INE), which in part is done by filling out the form available online at https://censos2021.ine.pt/. The greatest number of participations is related to the fact that the survey requires citizens to provide their identification data, namely their full name. However, some respondents associated the requirement to provide identifying data with the transfer of data to a company based in the United States of America. 

2. 
2. The same question was also asked on social networks, and media outlets reported that the information displayed there was inaccurate. 

3. 
3. The ACNPD, under the powers conferred by Article 58(1)(b) and (e) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation - GDPR), in conjunction with Article 3, Article 4(2) and Article 6(1)(b), all of which are applicable to the processing of personal data, is responsible for the protection of personal data. 1 of article 6, all of Law 58/2019, of 8August (which aims to ensure the implementation, in the internal legal order, of the GDPR), has analyzed the website of Statistics Portugal and the platform made available therein, and concluded that this entity uses services provided by the company Cloudflare. Statistics Portugal was also requested to provide information on this operation regarding personal data. 

li. 
Analysis 

i. 
Facts found 

4. 
The Census 2021 data collection form is accessed through the infrastructure provided by Cloudflare, lnc. (hereinafter Cloudflare), a company based in San Francisco, California, in the United States of America. This company provides various Internet security and Content Delivery Network (CDN) services. 

5. 
The CDN consists of a network of servers that aims to reduce the latency of access to servers -i.e., the period of time between the user's action and the response to that action. In effect, through an algorithm that sends information simultaneously to several servers, it chooses the one with the shortest response time. With this, it is possible to deliver information faster and with greater robustness from the point of view of security. 

6. 
ACloudflare owns 200 {hundred} datacenters located in over one hundred countries, the vast majority of which do not have an adequate level of data protection, under the terms of article 45.0 of the RGPD. 

7. 
OINE used the services provided by the company Cloudflare through the onlined subscription to its Business Plan1. This plan provides a set of services, and INE is currently making use of WAF2, the CDN, and Rate Limit3. 

8. This plan is governed by the 'Self-Serve Subscription Agreement'4 (main service provision agreement) and the data processing addendum (Data Processing Addendum version 3.05), dated October 1st, 2020, which is part of the main agreement (see clause 6.1 of the main agreement). 

9. INE justified the conclusion of this contract with the objective of "(...) effectively responding to the performance and information security needs associated with the size and complexity of the Census 2021 operation". 

10. Notwithstanding the use of this service, it is not, nor has it ever been, in question that the information provided by citizens through the Censos 2021 forms is hosted in INE's servers. 

11 . When the citizen accesses the Census 2021 form, it is forwarded to one of Cloudflare's servers according to the referred algorithm. Cloudflare's infrastructure communicates with the INE server by TLS. 

12. The name censos2021.ine.pt is associated with IP 172.67.41.182, located in the United States of America, and is assigned to Cloudflare. Customers access the site using the HTTPS secure communication protocol, and the associated certificate is issued by Cloudflare, Inc ECC CA-3, a certification body of Cloudflare itself. Thus, this company holds both the private key and the plastic key, 
1 This plan is presented on Cloudflare's website as being aimed at small businesses and e-commerce websites that require advanced performance and security, and that give priority to email support. See httos://www.cloudflare.com/olans/business/ 2A WAF helps secure web applications by filtering and monitoring HTTP traffic. It protects against attacks such as Cross Site Request Forgery, 
Cross Site Scripting, SQLlnjection, and others. 3 Rate limiting protects against Denial of Service (DoS) attacks, brute force attacks and other types of malicious behavior. 4 httos://www cloudflare.com/terms/ 
httos://www.cloudflare.com/resources/assets/slt31c6tev37/1 M 1 j5uuFDuLTYiZJJDPBag/bda8d591447971 b3df2bccf5aa4e0916/Customer OPA v,3 1 -en J Oct 2020.pdf 

13. 
Note that the fact that the encryption key used is Cloudflare's means that the encryption is applied by this entity, remaining during the transit of information, and is deciphered by it, and only by it - i.e., before delivering the whole set of information (the data packages) to INE, Cloudflare has to proceed to its deciphering, and INE has no intervention in this process. 

14. 
Moreover, INE admits that it has no control over the transmission of information between citizens and its server. Once inside Cloudflare's CON network, Statistics Portugal has no way of knowing whether the traffic is being directed to servers located in the territory of European Union countries or residing in any other area of the world. 

15. 
As of the date of this deliberation, personal data of more than six million citizens residing in the national territory has been collected. 


ii. Assessment in light of the RGPD 
16 Since the information provided by citizens when filling out the Census 2021 forms constitutes personal data, under the terms of article 4.0, paragraph 1), of the RGPO - since it corresponds to information on identified natural persons -, the census operation is subject to the RGPO, and Statistics Portugal is responsible for the processing, in accordance with paragraphs 2) and 7) of the same article.

17. It is also true that some of the information falls into the category of specific personal data provided for in Article 9(1) of the RGPO, and therefore the data processing is subject to a stricter protection regime and to the obligation to carry out a data protection impact assessment (DPA), in accordance with Article 9(1) and (3)(b) of the RGPO. 

18. 
It should be noted that the AIPO must cover all operations on personal data, including, therefore, the operation corresponding to the transport of information to and from Cloudflare's servers, in the scope of the outsourcing relationship.  

19. On this point, INE declared to the CNPO that "(...) it has chosen to carry out a Data Protection Impact Assessment only for the main statistical operation. This was due to the fact that the tests (2016, 2018, 2020) only aimed at testing collection processes and application functionalities, and were, as far as the application solutions were concerned, partial. Therefore, they did not allow for testing and evaluating the risk inherent in all processes. In this sense, only the final operation allowed for a complete and comprehensive assessment 
)
in a scenario where the decisions taken, given the pandemic context, were being modified and optimized. However, the respective contents are not yet integrated in such a way as to be made immediately available. Although the systematic and continuous monitoring of the EPD and RSI to the Census 2021 is guaranteed." 

20. 
20. As an impact assessment was not carried out for this specific operation on personal data, Statistics Portugal did not carry out an assessment of the risks for the rights of data subjects and, consequently, did not adopt any additional measures to mitigate these risks, focusing only on the performance and security of the system, including consulting the National Security Office. 

21. 
21. Statistics Portugal did not consult the CNPD on this operation, which would have allowed the CNPD to make a statement and thus seek to protect the rights of the data subjects. 

22. 
However, even considering the purpose of this operation, there were other solutions that could have mitigated the risks, ensuring greater control over the data by Statistics Portugal, and, of course, limiting the transit of personal data to the territory of EU Member States, which would not imply sending them to third countries. 

23. 
However, the choice of the NSI implies, as will be shown, the transit of personal data through third countries in relation to the European Union and which do not have the adequate level of protection. It also implies, by virtue of the contract signed, a specific authorization by INE to transfer personal data to the United States of America (USA) and to other countries where the servers used by Cloudflare are located (namely, South Africa, China, India, Jordan, Mexico, Russia, Singapore). 

24. 
As described above, in points 5 and 11, the personal data of citizens residing in Portugal are sent to Cloudflare servers located in different countries that are neither identified nor identifiable by INE or by the data subjects. Moreover, the encryption and decryption key is owned by Cloudflare. 


25. The contract concluded between Statistics Portugal and Cloudflare foresees the transit of personal data to any of the 200 servers used by Cloudflare, as well as the transfer of personal data to the USA.

26. Indeed, under the terms of the Data Processing Addendum version 3.0 (hereinafter 'OPA'), which, it is recalled, forms part of 
contract, personal data are transferred from the customer (data exporter) to Cloudflare (data importer), in the United States of America, using as international transfer mechanism the standard contractual clauses based on Commission Decision 2010/87/EU of 5 February 2010, applicable transfers of personal data to processors established in third countries6 , which are an integral part of the Addendum and are to that extent endorsed by the customer (cf. clause 1.1(m) of the DPA)7. 

27. 
The PPA applies to the extent that Cloudflare processes personal data submitted by the customer to Cloudflare or, as is the case with INE, collected and processed by the customer using the service, where such personal data is subject to applicable data protection legislation. 

28. 
Thus, by (sub)contracting Cloudflare's services, INE, in its capacity of controller and simultaneously of client, accepted the conditions of use of the service, including the amendment to the terms of processing of personal data, which contains a contract between the controller (INE) and the subcontractor (Cloudflare) for the transfer of personal data to the United States of America.

29. 
Also under the terms of the Tender Offer, INEgranted a general authorization to Cloudflare to use other (sub-)subcontractors, whether companies within or outside the Group (clause 4.2), acknowledging and accepting that it may be necessary for the provision of the service to use (sub-)subcontractors established in third countries (clause 6.4). 

30. 
If standard contractual clauses are, in general, a legal instrument for the transfer of personal data to third countries, under the combined provisions of Article 46.0(2)(e) en. 0 5 of the GDPR, it is necessary to verify, however, whether the law of the third country, which obviously overlaps with an instrument of a contractual nature, does not diminish or negate the guarantees offered by these clauses, which aim precisely at compensating for the lack of an adequate level of protection in the country of destination of the data (cf. 

31 . According to the Court of Justice of the European Union (CJEU), it is for the data exporter, on a case-by-case basis, in cooperation with the data importer, to ascertain whether the country of destination in question ensures a level of data protection essentially equivalent to that guaranteed by the EU and, if possible, to adopt additional safeguards to overcome the obstacles and ensure that data protection is maintained9. This obligation also derives from compliance with the principle of accountability, enshrined in 
Article 5.0.2 of the GDPR. 
6 Conformeconstains from Cloudflare's website. the privacy policy was revised on October 27, 2020, to "reflect- a change in the legal instrument underpinning the transfer of personal data from the European Union (EU) to the United States of America (US), which is no longer the Privacy Sh,eld adequacy decision invalidated by the Court of Justice of the European Union (T JEU) in July 2020. in the Schrems li case, to become the standard contractual clauses 7 httos://www.cloudflare.com/cloudflare customer sccs.pdf 8 See nrs. 92 and 93 of the Schrems li Judgment, in which the Court stressed that the assessment of the existence of a level of protection essentially equivalent to that guaranteed in the EU in the country of destination of the data must be made regardless of whether a transfer mechanism provided for in Chapter V of the GDPR is used. 9 See paragraph 134 of the Schrems II judgment.

32. 
According to the CJEU analysis in the Schrems li case, the law of the US -which is the destination country for Cloudflare's international transfers under the standard contractual clauses- allows for interference with the fundamental rights of individuals based on national security and public interest requirements, which may result in access to personal data transferred from the EU to the US and the use of such data in surveillance programs, based on Section 702 of the FISA (Foreign Intelligence Surveillance Act) and Executive Order 123331. 

33. 
The TJEU concluded that such interference is not proportionate under EU law as there is no definition of the scope of the limitations on individuals' rights, no clear and precise rules on the application of such measures and no minimum requirements to protect against risks of abuse, no assessment of necessity, no enforceable rights for data subjects and no judicial remedies, so that the limitations on data protection under US law do not meet the requirements of the EU Charter of Fundamental Rights11 (cf. Articles 7, 8, 47 and 52(1)). 1). 

34. 
Therefore, a transfer of personal data to the U.S. would be possible if the legislation at stake here, and expressly referred to by the CJEU, were not directly or indirectly applicable to Cloudflare or its (sub-)subcontractors, and even then only by taking additional measures that could demonstrably show that this legislation would not be applicable or would have no practical effect on transfers of personal data. 

35. 
However, the services provided by Cloudflare, namely those contracted by INE when it subscribed to the Business Plan, put the company directly under US law, which imposes on it the obligation to grant bulk access to the personal data it processes, already as a provider of electronic communications services12 , without prejudice to other types of services also being covered by other provisions of the US surveillance legislation. 

36. 
Cloudflare acknowledges in point 7 of the Tender Offer that, in its role as a subcontractor, it may be subject to requests for access to personal data by third parties in the context of legal proceedings, which may be "inconsistent" with the law applicable to its customer, i.e., the GDPR. In such a case, where a conflict of laws exists, Cloudflare declares that it will immediately inform the Customer, "unless such notification is legally prohibited" (cf. a) clause 7.1 ). 


10 See paragraph 165 of the cited judgment, where the PRISM andUPSTREAM programs are cited. 11 See paragraphs 175-176, 180-185, 191 and 94 of the cited judgment. 12 Cf. Section 702 of FISA as amended by 50 use§ 188P.

37. 
This is precisely the case with this US legislation that prevents US companies from informing their customers of access by US authorities for the purpose of gathering information on foreigners in the context of national security activity. 

38. 
Therefore, there is no guarantee that the personal data of citizens residing in Portugal, collected by INE through its website, in the context of Censos 2021, will not be accessed by the US authorities, through Cloudflare, due to the services it provides to INE and which imply, according to the contract signed, the transfer of such personal data to the USA. 

39. 
In this sense, as the standard contractual clauses under which personal data are transferred by the NSI to Cloudflare in the USA cannot be respected in the third country of destination, insofar as they are not binding on the authorities of that country, thus not offering the appropriate guarantees required by the GDPR, the CNPD is obliged to prohibit these data transfers, as prescribed by the CJEU.13 

40. 
Furthermore, according to the same case law 14, even if the NSI could demonstrate that the personal data was not transferred to the U.S., the transit of the data would always depend on the adoption of adequate and sufficient additional measures, which are not present here. 


41 . Under Article 5(2) and Article 24 of the GDPR, Statistics Portugal is obliged to comply with the principles and rules on personal data protection and to demonstrate compliance with the processing of personal data under its responsibility. 

III. Conclusion 
42. 
In view of the above and as there is no other corrective measure capable of safeguarding the rights of data subjects, the CNPD, under paragraph}) of Article 58(2) of the GDPR, hereby orders Instituto Nacional de Estatística, I.P., to suspend the sending of personal data from Censos 2021 to the USA and to other third countries without an adequate level of protection, whether through Cloudflare, lnc. or another company, within a maximum period of 12 hours. 

43. 
The same entity shall also ensure, in the scope of any subcontracting, that subcontractors are not obliged to comply with a legislation that departs from the protection conferred by the RGPD. 

44. 
The hearing is waived, in accordance with Article 124.1 a) of the Administrative Procedure Code, considering the urgency of the corrective measure, taking into account the time period of the online collection of the Census and that, otherwise, the risk to the rights, freedoms and guarantees of citizens, potentially more than four million, who have not yet fulfilled their legal obligation to respond to the census operation, would remain. 


13 See paras. 107 and 121 of the cited judgment. 14 Cf. nos. 63 and 183 of the same accd. 
Approved at the meeting of April 27, 2021 

< 
Filipa Galvão (Chair)